Projects / samhain


samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits (Linux only). It can be used either standalone or as a client/server system for centralized monitoring, with strong (192-bit AES) encryption for client/server connections and the option to store databases and configuration files on the server. For tamper resistance, it supports signed database/configuration files and signed reports/audit logs. It has been tested on Linux, FreeBSD, Solaris, AIX, HP-UX, and Unixware.

Operating Systems

RSS Recent releases

  •  06 Dec 2013 22:55

Release Notes: Support for sha2-256 has been added and some bugs have been fixed.

  •  19 Jun 2013 19:39

Release Notes: A regression in the handling of growing log files has been fixed. For compiling with the kernel check option, the detection of an existing yet non-functional /dev/kmem device has been improved.

Release Notes: Log rotation can be handled more gracefully now. An option to ignore modifications of transient files during their lifetime has been added, and it is possible now to build a Debian client package with a preset password. A problem with large groups has been fixed, as well as reconnecting to a temporarily unavailable Oracle database.

  •  19 Jan 2013 15:01

Release Notes: This release fixes a regression that made samhain block indefinitely if the inotify mode for file checking was used.

  •  28 Dec 2012 22:08

Release Notes: Some build errors have been fixed, as well as the 'probe' command for the server (clients could be erroneously omitted under certain conditions). An option has been added to the Windows registry check to ignore changes if only the timestamp has changed, and full scans requested by the inotify module will now only run at times configured for regular full scans.

RSS Recent comments

21 Mar 2001 12:59 sk00t

Samhain rocks da house!!!
This is bar none *THE* coolest integrity checker out there. I've played with every single one I can find: Tripwire, Sentinel, Aide, FCheck, Viper, etc., etc., and this is the sh*t!


1. Platform-independent (builds on just about anything)

2. Small footprint

3. Fast

4. Stealth mode (very cool)

5. Clean code (not somebody's sophomore C project)

6. Client / server mode (send reports to a central server over a secure channel)

7. Obscure Glen Danzig reference

8. Docs that don't suck and an active development community


Project Spotlight

Performance Co-Pilot

performance monitoring toolkit and API


Project Spotlight

libmodbus (stable)

A multiplatform Modbus library.